• Home
  • /Learn
  • /Cybersecurity Incident Management Process in Ontario
background image


Cybersecurity Incident Management Process in Ontario


Every enterprise has a specific set of rules and policies concerning how it manages access control, client data and employee data. A cybersecurity incident occurs when an unauthorized system breach in violation of these policies threatens the integrity and security of the confidential data and the company’s system itself.

Incident response in cybersecurity refers to how a company deals with an incident and its efforts to minimize the damage and prevent additional breaches. It also outlines the duties and responsibilities of each member of the security and management teams in the event of a cyber attack.

Why is cybersecurity incident management important?

Ontario is home to around 450,000 businesses. Today, almost every medium to large scale company uses technology to manage business processes and competitive functioning efficiently. However, the rising popularity of technology has opened the door for a slew of cyberattacks. These attacks not only breach security but also tarnish the reputation of a business and affect the bottom line.

Most firms are unaware that their security has been breached. The average response time to a breach is about 197 days, giving the attacker plenty of time to move freely within the organization’s network.

This is why an accessible incident management team is essential for every business to minimize damages and prevent future attacks.

Ontario guidelines

When a firm establishes a cybersecurity incident management procedure, it must do so in accordance with the relevant cybersecurity legislation. The government of Ontario mandates all businesses to follow the guidelines prescribed in the Government of Ontario Information Technology Standards (GO-ITS 37), which outlines the enterprise incident management process.

GO-ITS 37 Incident Management Process

GO-ITS 37 establishes 16 principles to ensure that the incident response procedure results in desired outcomes. These are the fundamental guidelines to provide a direction to develop an effective incident response procedure.

See the full document on the Ontario government website.

The Government of Ontario outlines 16 process principles for cybersecurity incident management:

The following principles are taken directly from section 4. Technical specifications, 4.1 process principles.

  1. A single enterprise incident management process shall be used across the 

    OPS in support of I & IT services.

  2. Incident classification must identify the service(s) that is/are impacted (from the customer’s perspective).

  3. The OPS ITSD shall be the single entry point into the enterprise incident management process and will have oversight of incidents through their complete lifecycle including assignment, functional and hierarchical escalation, tracking, communication and closure.

  4. The OPS ITSD shall act as the single point of contact for all business communication regarding reported incidents.

  5. An incident must be logged through the  OPS ITSD as a prerequisite for engagement of any tier 2-n support staff, including external service providers.

  6. Closure of incidents shall be dependent upon validating with either the end user or the customer that service has been restored.

  7. There shall be notification and escalation procedures that ensure consistent, timely incident resolution and communication of progress relative to service level agreements.

  8. All incident information, including resolution details, shall be logged in an accessible incident management repository.

  9. A separate procedure shall be established to manage resolution of major incidents that will include nomination of a single manager for the incident. This resource will be assigned from a pool of management within 

    ITS, Cyber Security Division or the Cluster.

  10. Any proposed service restoration activity which has the potential to impact other services or other customers of the same service must be approved by the Service Owner(s) before being undertaken.

  11. Incident resolution activities must commence as soon as possible for all incidents regardless of priority.

  12. All Service Owners and OPS Service Providers shall fulfill their roles in compliance with the OPS enterprise incident management process.

  13. A mechanism must be in place to identify security-related incidents and engage appropriate support staff to resolve the issue.

  14. A proactive enterprise incident management process is required where high likelihood of future impact is detected, and corrective action is required to prevent business impact.

  15. Event management is essential to enterprise incident management by providing information on the status of I+IT services and detecting any deviation from normal or expected operational behaviour.

  16. An event transitions to an incident when it is assessed as a clearly defined exception that may cause significant impact to business services.

Incident Response Team: process roles and responsibilities

The guideline outlines a set of mandatory roles and responsibilities that must be established to execute the incident management process. Roles can be assigned to more than one individual and multiples roles can be assigned to one person.

Process Owner: Oversees the entire process and ensures that it is followed by the organization and is responsible for approving changes in process plans.

Incident Manager (IM): Responsible for the execution of the incident management process and is accountable for incident lifecycles.

Situation Manager (SM): Responsible for resolving escalated incidents and restoring service.

Queue Manager (QM): Ensures all the incident tickets in a queue are assigned to relevant teams and actions are being taken to resolve them.

Service Desk Manager (SDM): Manages overall service desk activities and ensures appropriate staffing is in place to manage all incidents.

Service Desk Team Lead (TL): Reports to the service desk manager and works directly with the service desk team to ensure the effectiveness of the diagnostics of the incident.

Service Desk Agent (SDA): Provides point of contact for the customers during the incident. Also responsible for creating records of new incidents and updating the records of the existing ones.

Incident Analyst (IA): Reports to the incident manager and provides the team with technical expertise to resolve incidents.

Service Owner: Responsible for identifying, documenting, and maintaining internal/external partner solution/service knowledge necessary to inform the support model.

Infrastructure Technology Services Incident Advisor (ITS-IA): Provides a bridge for communications between the incident manager and partner organizations, like telecom and third-party providers.

Communication Coordinator: Ensures communications concerning operations in the process and is responsible for providing status updates and information to personnel.


The guideline provides a comprehensive overview of the roles and responsibilities required to establish an effective incident response team. Furthermore, it also details the importance of documentation, communication, and training in order to ensure the success of the process.

Packetlabs is your go-to resource for pentesting and cybersecurity. Contact the Packetlabs team today.